[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf and detection of non-resolvable ip numbers
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: pf and detection of non-resolvable ip numbers
- From: Joachim Schipper <j_(_dot_)_schipper_(_at_)_math_(_dot_)_uu_(_dot_)_nl>
- Date: Thu, 13 Apr 2006 16:21:23 +0200
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
On Thu, Apr 13, 2006 at 01:58:10PM +0200, Michael Schmidt wrote:
> Lars Hansson wrote:
> >On Thursday 13 April 2006 18:05, Michael Schmidt wrote:
> >>reading several man pages did give no answer to this:
> >>Is there a way within pf that pf can detect especially those ip numbers
> >>which do not belong to a hostname, in other words which are not
> >>resolvable to hostnames?
> >No. Perhaps you could create some ugly cludge by logging all and have a
> >cron job read the pflog logfile and do reverse lookups but I highly doubt
> >it would be feasible or even work.
> Meanwhile I have seen after having sent my initial mail that there is a
> way similar to your suggestion without the need of explicit dns lookups,
> as it includes implicit lookups.
> In the pf.conf if you have any rule combined with log functionality then
> its logged into the pflog file, that file contains either hostnames or
> ip numbers, in case of ip numbers the ip numbers could not be resolved
> to hostnames.
> This behaviour is that a stand one?
Yes, it is standard behaviour of tcpdump(8). See -n, and pflogd(8).
DNS lookups would slow pf(4) down by far too much. Don't try it.
> >>The reason why I am asking is that I want to catch especially these
> >I cant help but ask why?
> You are right to ask why.
> The reason is I want to achieve this task: We have a few bad users which
> give themselves ip numbers (free unused ones out of our pool), I want to
> catch the ip numbers taken by those users.
There are several wrong ways to go about this, you picked one.
ISTR a patch to dhcpd appearing on the tech@ list a month or so ago,
that would be one proper solution. However, whether you use this one or
some homegrown script, the point should be to add authentic IPs to a
table and filter on the table.
However, if your network is not physically secure, the fun only begins
with people giving themselves some random IP address. And some
protocols - anything UDP-based, for instance, and TCP on buggy stacks,
and ... - can be spoofed easily, anyway.
 Assuming this is not just someone trying to be smart, or trying to
get things done without configuring dhcp for some reason.